capaths questions

Matt Crawford crawdad at
Mon May 17 18:24:46 EDT 2004

On May 17, 2004, at 15:56, Sam Hartman wrote:

>     Derek> True, but the destination KDC does get to enforce it (as
>     Derek> you suggest later).
> And should not do so.  The destination kdc should leave the policy
> checked flag clear and the application server should reject.

I've been following the thread quietly until this point, but now I have 
to disagree.  I want to be able to have my FNAL.GOV deny the service 
ticket if I choose to, or leave it up to the service to deny access.  
There are some times when we have to convince outsiders that certain 
policies are enforced, and claiming that a hundred sysadmins have 
properly configured a hard-to-audit rule on thousands of hosts is a 
weak case.

More information about the krbdev mailing list